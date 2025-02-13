Study Finds Nearly Half Suffered a Third-Party Data Breach

A lack of visibility, internal resources, and mature security strategies continue to be obstacles.

Feb 13, 2025
Intllectual Property

Imprivata, a digital identity company for critical industries, has released new global research with the Ponemon Institute which found that 47 percent of organizations have experienced a data breach or cyberattack over the past 12 months that involved a third-party accessing their network. This represents similar levels from when the study was conducted two years ago. Notably, 64 percent of respondents say these types of third-party data breaches will either increase or remain at alarmingly high levels over the next 12-24 months, indicating the problem is here to stay.  

Titled The State of Third-Party Access in Cybersecurity, the report surveyed IT security practitioners and found increased awareness of the security risks associated with third-party access, likely due to organizations being impacted first-hand by a security incident. However, despite efforts to address third-party risk, it remains a challenge to do so based on inconsistent and immature security strategies.

Nearly half (48 percent) of organizations agree that third-party remote access is becoming the most common attack surface. “Third-party access is necessary to conduct global business, but it is also one of the biggest security threats and organizations can no longer remain complacent,” said Joel Burleson-Davis, Senior Vice President of Worldwide Engineering, Cyber, at Imprivata. “While some progress has been made, organizations are still struggling to effectively implement the proper tools, resources, and elements of a strong third-party risk management strategy. Cybercriminals continue capitalizing on this weakness, using the lack of visibility and uncertainty across the third-party vendor ecosystem to their advantage.” 

Of the organizations that experienced a data breach or cyberattack due to third-party access over the past 12 months, the biggest consequences suffered were the loss or theft of sensitive and confidential information (53%), regulatory fines (50%), and severed relationships with the affected third-party or vendor (49%). Additionally, 34 percent say the attack involved the third-party having too much privileged access. 

Specific to the manufacturing sector:

  • In the last 12 months, 42 percent of industrial organizations have experienced a data breach or cyberattack that involved a third party vendor accessing the orgs network.
  • Of the 37 percent of industrial institutions using artificial intelligence (AI) and machine learning (ML) to reduce privileged access abuse, 57 percent report that it improves the efficiency of efforts to manage third-party and internal privilege access abuse.
  • Only 29 percent of manufacturing organizations have a strategy that is consistently applied across the entire organization to address privileged access risk.
  • Subsequently, 27 percent of industrial organizations do not have a consistent strategy applied across the organization when it comes to addressing privileged access risk.

As organizations try to respond to the looming third-party threat, they are struggling. More than one-third (35%) of respondents said they were unsure how the cyberattacks they suffered were perpetrated. Organizations have limited visibility into how vendors are accessing their network, creating a massive blind spot.  

In addition to lack of oversight, 41 percent of respondents say insufficient resources or budget are a top barrier to reducing third-party risk. In fact, 44 percent believe managing third-party permissions can be overwhelming and a strain on their internal resources, with organizations spending an average of 134 hours per week across IT and security teams analyzing and investigating the security of third-party access.  

Today, most (58%) respondents believe their security strategy to address privileged access risks is inconsistent or non-existent, creating an immediate opportunity to address the issue head-on.  

For more information, download the full report here

Latest in Cybersecurity
Today in Manufacturing Podcast
Sponsored
Today in Manufacturing Podcast
February 11, 2025
Ep130tn
Security Breach: The Evolution of OT Vulnerabilities
February 13, 2025
Computer Crime Concept 516607038 2125x1416 (1)
CISA, FBI Warn of Buffer Overflow Vulnerabilities
February 13, 2025
Intllectual Property
Study Finds Nearly Half Suffered a Third-Party Data Breach
February 13, 2025
Related Stories
Ransomware
Cybersecurity
Ransomware Attacks Costing Manufacturers $1.9M/Day in Downtime
Computer Crime Concept 516607038 2125x1416 (1)
Cybersecurity
CISA, FBI Warn of Buffer Overflow Vulnerabilities
Autonomous Car Cockpit
Cybersecurity
Report Shows Surging Automotive Cyber Threats Stemming from Critical Gaps
Security Breach Podcast
Sponsor Content
Security Breach Podcast
More in Cybersecurity
Today in Manufacturing Podcast
Sponsored
Today in Manufacturing Podcast
Today in Manufacturing has a new podcast brought to you by the editors of Industrial Media. In each episode, we discuss the five biggest stories in manufacturing, and the implications they have on the industry moving forward.
February 11, 2025
Ep130tn
Video
Security Breach: The Evolution of OT Vulnerabilities
Threats and risks have escalated, but when properly implemented, some solutions have risen to the task.
February 13, 2025
Computer Crime Concept 516607038 2125x1416 (1)
Cybersecurity
CISA, FBI Warn of Buffer Overflow Vulnerabilities
Threat actors exploit these vulnerabilities to gain access and move laterally through the network.
February 13, 2025
Autonomous Car Cockpit
Cybersecurity
Report Shows Surging Automotive Cyber Threats Stemming from Critical Gaps
Critical infrastructure in smart mobility devices, like EV chargers, has expanded the attack surface and magnified the stakes.
February 13, 2025
Protection Background Technology Security 524882074 701x502 (1)
Cybersecurity
Recovery Platform Runs with NVIDIA BlueField-3
The platform is designed to significantly reduce cyber recovery times in minimizing losses.
February 13, 2025
SoftBank Chief Masayoshi Son, left, and OpenAI Chief Sam Altman hold a talk during an event for enterprises in Tokyo, in Tokyo, Monday, Feb. 3, 2025.
Cybersecurity
SoftBank, OpenAI Set Up Joint Company to Push AI Services
The startup will help bring "transformative AI to some of the world's most influential companies."
February 6, 2025
The smartphone app DeepSeek page is seen on a smartphone screen in Beijing, Jan. 28, 2025.
Cybersecurity
Researchers Link DeepSeek to Chinese Telecom Banned from Doing Business in U.S.
The chatbot's code shows connections to computer infrastructure owned by China Mobile.
February 6, 2025
The smartphone apps DeepSeek page is seen on a smartphone screen in Beijing, Tuesday, Jan. 28, 2025.
Cybersecurity
House Lawmakers Push to Ban AI App DeepSeek from U.S. Government Devices
The Chinese government could use the app for surveillance and misinformation.
February 6, 2025
I Stock 1736195547
Cybersecurity
Study: Industry Should Make Cybersecurity a Top Priority in 2025
The report says companies have too little budget to secure devices, machines, and systems.
February 6, 2025
Cloud
Cybersecurity
Maximizing Resiliency with Cloud-Hosted Security
Migrating to cloud-hosted security offerings provides many benefits, but misconceptions remain.
February 4, 2025
Utility Metamorworks
Cybersecurity
Rethinking Critical Infrastructure: A Secure Path for High-Risk Connectivity
Digital frontiers are highly prized targets, and this will ramp up in the coming years.
February 4, 2025
Elon Musk listens as President Donald Trump speaks after taking the oath of office at the 60th Presidential Inauguration in the Rotunda of the U.S. Capitol in Washington, Monday, Jan. 20, 2025.
Cybersecurity
Treasury Tells Congress That DOGE Has 'Read Only' Access to Payment Systems
Lawmakers are concerned that Musk wields too much power within the U.S. government.
February 4, 2025
Smishing Attack Fran Rodriguez
Cybersecurity
Threat Labs Research and Analysis Initiative Focused on Human-Targeted Attacks
The collected data will be used to form and share mitigation strategies.
January 30, 2025
Cybersecurity In A Bubble
Cybersecurity
5 Questions to Identify and Mitigate Hidden Security Threats
'Cybersecurity threats don't discriminate by company size, industry, or geographic footprint.'
January 30, 2025
Homeland Security Secretary Kristi Noem speaks to employees at the Department of Homeland Security, Tuesday, Jan. 28, 2025, in Washington.
Cybersecurity
Cyber Agency's Future in Elections Murky Under Trump Administration
The new Homeland Security secretary said that CISA had strayed "far off mission."
January 30, 2025